From nobody Thu May 15 19:13:28 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 15041336628861007.3407349480337; Wed, 30 Aug 2017 15:54:22 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CACAE80462; Wed, 30 Aug 2017 22:54:20 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A6D35173D3; Wed, 30 Aug 2017 22:54:20 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 702703FACE; Wed, 30 Aug 2017 22:54:20 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v7UMkOCM022355 for ; Wed, 30 Aug 2017 18:46:24 -0400 Received: by smtp.corp.redhat.com (Postfix) id 540DF77709; Wed, 30 Aug 2017 22:46:24 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-88.phx2.redhat.com [10.3.116.88]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0CCD67093F; Wed, 30 Aug 2017 22:46:23 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com CACAE80462 Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com From: John Ferlan To: libvir-list@redhat.com Date: Wed, 30 Aug 2017 18:46:10 -0400 Message-Id: <20170830224613.24738-11-jferlan@redhat.com> In-Reply-To: <20170830224613.24738-1-jferlan@redhat.com> References: <20170830224613.24738-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Cc: ashish.mittal@veritas.com Subject: [libvirt] [PATCH v6 10/13] qemu: Introduce qemuDomainPrepareDiskSource X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Wed, 30 Aug 2017 22:54:21 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Introduce a function to setup any TLS needs for a disk source. If there's a configuration or other error setting up the disk source for TLS, then cause the domain startup to fail. For VxHS, if cfg->haveTLS is set, then TLS creds will be added automatically to every VxHS disk that didn't specify "tls=3D'no'" in the domain XML. Additionally, if the domain XML has "tls=3D'yes'", but cfg->haveTLS is not set, then issue a configuration error. Signed-off-by: John Ferlan --- This is NEW from v5. This patch adds the infrastructure to the qemuDomainPrepare* family of functions in order to walk the disk list looking for disks that need to be set up properly for TLS. The code is very similar to the chardev model - except that it can cause a failure to start the domain in the event that the vxhsTLS =3D 0, but domain XML haveTLS =3D yes. Essentially pulling in the code from v5 patch5 qemuBuildDiskVxHSTLSinfoCommandLine. src/qemu/qemu_domain.c | 58 +++++++++++++++++++++++++++++++++++++++++++++= ++++ src/qemu/qemu_domain.h | 5 +++++ src/qemu/qemu_process.c | 4 ++++ 3 files changed, 67 insertions(+) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index cbee151..c3eadf3 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -7520,6 +7520,64 @@ qemuDomainPrepareChardevSource(virDomainDefPtr def, } =20 =20 +/* qemuProcessPrepareDiskSourceTLS: + * @source: pointer to host interface data for disk device + * @cfg: driver configuration + * + * Updates host interface TLS encryption setting based on qemu.conf + * for disk devices. This will be presented as "tls=3D'yes|no'" in + * live XML of a guest. + * + * Returns 0 on success, -1 on bad config/failure + */ +static int +qemuDomainPrepareDiskSourceTLS(virStorageSourcePtr src, + virQEMUDriverConfigPtr cfg) +{ + + /* VxHS doesn't utilize a password protected server certificate, + * so no need to add a secinfo for a secret UUID. */ + if (src->type =3D=3D VIR_STORAGE_TYPE_NETWORK && + src->protocol =3D=3D VIR_STORAGE_NET_PROTOCOL_VXHS) { + + if (src->haveTLS =3D=3D VIR_TRISTATE_BOOL_YES && !cfg->vxhsTLS) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("VxHS TLS protocol is configured in XML, but " + "TLS for VxHS is disabled in qemu.conf")); + return -1; + } + + if (src->haveTLS =3D=3D VIR_TRISTATE_BOOL_ABSENT && cfg->vxhsTLS) + src->haveTLS =3D VIR_TRISTATE_BOOL_YES; + } + + return 0; +} + + +/* qemuProcessPrepareDiskSource: + * @def: live domain definition + * @driver: qemu driver + * + * Iterate through all disk devices to setup/check any that would be + * using TLS. + * + * Returns 0 on success, -1 on failure + */ +int +qemuDomainPrepareDiskSource(virDomainDefPtr def, + virQEMUDriverConfigPtr cfg) +{ + size_t i; + + for (i =3D 0; i < def->ndisks; i++) { + if (qemuDomainPrepareDiskSourceTLS(def->disks[i]->src, cfg) < 0) + return -1; + } + + return 0; +} + =20 int qemuDomainPrepareShmemChardev(virDomainShmemDefPtr shmem) diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h index f93b09b..f701287 100644 --- a/src/qemu/qemu_domain.h +++ b/src/qemu/qemu_domain.h @@ -841,6 +841,11 @@ void qemuDomainPrepareChardevSourceTLS(virDomainChrSou= rceDefPtr source, virQEMUDriverConfigPtr cfg) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); =20 +int +qemuDomainPrepareDiskSource(virDomainDefPtr def, + virQEMUDriverConfigPtr cfg) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); + void qemuDomainPrepareChardevSource(virDomainDefPtr def, virQEMUDriverPtr driver) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 364c359..7978ef3 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -5326,6 +5326,10 @@ qemuProcessPrepareDomain(virConnectPtr conn, if (qemuDomainMasterKeyCreate(vm) < 0) goto cleanup; =20 + VIR_DEBUG("Prepare disk source backends for TLS"); + if (qemuDomainPrepareDiskSource(vm->def, cfg) < 0) + goto cleanup; + VIR_DEBUG("Prepare chardev source backends for TLS"); qemuDomainPrepareChardevSource(vm->def, driver); =20 --=20 2.9.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list